- Fix build with uring for post SLE15 code streams.
- Use %product_libs_llvm_ver to determine the LLVM version.
- Remove conditionals for obsolete PostgreSQL releases.
- Upgrade to 13.23:
* https://www.postgresql.org/about/news/p-3171/
* https://www.postgresql.org/docs/release/13.23/
* bsc#1253332, CVE-2025-12817: Missing check for CREATE
privileges on the schema in CREATE STATISTICS allowed table
owners to create statistics in any schema, potentially leading
to unexpected naming conflicts.
* bsc#1253333, CVE-2025-12818: Several places in libpq were not
sufficiently careful about computing the required size of a
memory allocation. Sufficiently large inputs could cause
integer overflow, resulting in an undersized buffer, which
would then lead to writing past the end of the buffer.
OBS-URL: https://build.opensuse.org/request/show/1320378
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postgresql13?expand=0&rev=39
* https://www.postgresql.org/docs/release/13.23/
* bsc#1253332, CVE-2025-12817: Missing check for CREATE
privileges on the schema in CREATE STATISTICS allowed table
owners to create statistics in any schema, potentially leading
to unexpected naming conflicts.
* bsc#1253333, CVE-2025-12818: Several places in libpq were not
sufficiently careful about computing the required size of a
memory allocation. Sufficiently large inputs could cause
integer overflow, resulting in an undersized buffer, which
would then lead to writing past the end of the buffer.
OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql13?expand=0&rev=111
- Upgrade to 13.20:
* Improve behavior of libpq's quoting functions:
The changes made for CVE-2025-1094 had one serious oversight:
PQescapeLiteral() and PQescapeIdentifier() failed to honor
their string length parameter, instead always reading to the
input string's trailing null. This resulted in including
unwanted text in the output, if the caller intended to
truncate the string via the length parameter. With very bad
luck it could cause a crash due to reading off the end of
memory.
In addition, modify all these quoting functions so that when
invalid encoding is detected, an invalid sequence is
substituted for just the first byte of the presumed
character, not all of it. This reduces the risk of problems
if a calling application performs additional processing on
the quoted string.
* Fix small memory leak in pg_createsubscriber.
* https://www.postgresql.org/docs/release/13.20/
* https://www.postgresql.org/about/news/p-3018/
OBS-URL: https://build.opensuse.org/request/show/1247461
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postgresql13?expand=0&rev=35
* Improve behavior of libpq's quoting functions:
The changes made for CVE-2025-1094 had one serious oversight:
PQescapeLiteral() and PQescapeIdentifier() failed to honor
their string length parameter, instead always reading to the
input string's trailing null. This resulted in including
unwanted text in the output, if the caller intended to
truncate the string via the length parameter. With very bad
luck it could cause a crash due to reading off the end of
memory.
In addition, modify all these quoting functions so that when
invalid encoding is detected, an invalid sequence is
substituted for just the first byte of the presumed
character, not all of it. This reduces the risk of problems
if a calling application performs additional processing on
the quoted string.
* Fix small memory leak in pg_createsubscriber.
* https://www.postgresql.org/docs/release/13.20/
* https://www.postgresql.org/about/news/p-3018/
OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql13?expand=0&rev=102
- Upgrade to 13.14:
* bsc#1219679, CVE-2024-0985: Tighten security restrictions
within REFRESH MATERIALIZED VIEW CONCURRENTLY.
One step of a concurrent refresh command was run under weak
security restrictions. If a materialized view's owner could
persuade a superuser or other high-privileged user to perform a
concurrent refresh on that view, the view's owner could control
code executed with the privileges of the user running REFRESH.
Fix things so that all user-determined code is run as the
view's owner, as expected
* If you use GIN indexes, you may need to reindex after updating
to this release.
* LLVM 18 is now supported.
* https://www.postgresql.org/docs/release/13.4/
OBS-URL: https://build.opensuse.org/request/show/1145272
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postgresql13?expand=0&rev=27
* bsc#1219679, CVE-2024-0985: Tighten security restrictions
within REFRESH MATERIALIZED VIEW CONCURRENTLY.
One step of a concurrent refresh command was run under weak
security restrictions. If a materialized view's owner could
persuade a superuser or other high-privileged user to perform a
concurrent refresh on that view, the view's owner could control
code executed with the privileges of the user running REFRESH.
Fix things so that all user-determined code is run as the
view's owner, as expected
* If you use GIN indexes, you may need to reindex after updating
to this release.
* LLVM 18 is now supported.
* https://www.postgresql.org/docs/release/13.4/
OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql13?expand=0&rev=80
- boo#1216022: Call install-alternatives from the devel subpackage
as well, otherwise the symlink for ecpg might be missing.
- Also buildignore the postgresql*-implementation symbols: this is
needed in order to bootstrap when no postgresql version currently
has valid symbols provided. Once the packages are built, OBS
could translate this to the pgname-* packages and accept the
ignores; during bootstrap though, there is nothing providing the
symbol and the existing buildignores do not suffice.
OBS-URL: https://build.opensuse.org/request/show/1120252
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/postgresql13?expand=0&rev=24
as well, otherwise the symlink for ecpg might be missing.
- Also buildignore the postgresql*-implementation symbols: this is
needed in order to bootstrap when no postgresql version currently
has valid symbols provided. Once the packages are built, OBS
could translate this to the pgname-* packages and accept the
ignores; during bootstrap though, there is nothing providing the
symbol and the existing buildignores do not suffice.
OBS-URL: https://build.opensuse.org/package/show/server:database:postgresql/postgresql13?expand=0&rev=74
